Earlier, network security architectures were designed with the enterprise data centre as the focal point. How­ever, changing times and evolving digital businesses have driven new IT architectures like cloud and edge computing and new norms like work-from-anywhere, which have inverted access requirements, with more users, devices, applications, services and data located outside an enterprise rather than inside. Further, the network security models based on data centre perimeter security are ill-suited to address the dynamic needs of a modern digital business and its distributed digital workforce. Therefore, the legacy perimeter ar­c­hi­tecture must transform into a set of cloud-based, converged capabilities created when and where an enterprise needs them – that is, a dynamically created, policy-based secure access service edge (SASE). SASE offerings provide policy-based access to the internet, software-as-a-service (SaaS) apps and enterprise private apps (on-premises or infrastructure-as-a-ser­vice [IaaS]) all at the same time.

However, migration towards an SASE framework is not easy and requires security and risk management leaders to build a migration plan to outline the transition from the legacy perimeter and hardware-based offerings to an SASE model. Once this plan is set in action, the adoption of the SASE model will become easier. For instance, as per Gartner, at least 60 per cent of enterprises will have explicit strategies and timelines for SASE adoption by 2025, encompassing user, branch and edge access up from 10 per cent in 2020.

Key features of the SASE model

To protect anywhere, any time access to di­gital capabilities, security must become so­ft­ware-defined and cloud-delivered, forcing changes in the security architecture and vendor selection. However, perimeter-bas­ed approaches to securing anywhere, anytime access have resulted in a patchwork of vendors, policies and consoles, creating complexity for security ad­ministrators and users. In this scenario, en­terprises that consider existing skill sets, vendors and products and timing of hardware refresh cycles as migration factors will reduce their SASE adoption time frame by half. SASE is a prag­matic and compelling model that can be partially or fully implemented. Branch office transformation projects, including software-defined wide area network (SD-WAN), multiprotocol label switching (MPLS) offload, and internet-only branch and associated cost savings, are part of the SASE project scope.

Adoption trends

Industry and client interest in SASE has exploded, primarily driven by existing enterprise needs being unmet by vendors. After Gartner published its initial resear­ch on the SASE market, the percentage of end-user enquiries mentioning SASE grew from 3 per cent in 2019 to 15 per cent in 2020 across the total number of end-user conversations on related security topics. This growth in interest continued in January 2021, with 17 per cent of end-user calls mentioning SASE across the same set of related markets. More­over, there have been significant vendor consolidations, ac­quisitions and anno­un­ce­ments to build out a complete SASE portfolio, with more ex­pected over the next 12-24 months.

However, enterprise transition to a complete SASE model will take time. The reality is enterprises have existing investment in hardware that is not fully amortised and software contracts with remaining time. Hardware refresh cycles at bran­ch offices average five to seven years. Rela­tionships and staff expertise with incumbent vendor offerings is another factor. Most large enterprises have separate network security and network operations teams, further complicating SASE adoption. Finally, not every vendor claiming to offer a SASE product currently delivers all of the required and recommended SASE capabilities. Moreover, not all of an SASE vendor’s capabilities are at the same level of functionality and maturity.

Existing gaps

The most significant gaps that will inhibit SASE migration include:

  • Organisational silos, existing investments and skills gaps: These are the bi­g­gest gaps that must be considered in mi­gration planning. A full SASE implementation requires a coordinated and co­­he­sive approach across network security and networking teams. For mid-size en­terprises, this is an easier problem to add­re­ss as a separate security team may not exist. In large organisations, these or­gani­sational structures, budgeting pro­cesses and responsibilities are quite rigid. Some vendors will be replaced and the associated skill sets will need to be re­purposed to­wards policy creation in collaboration wi­th business processes and application owners.
  • Architecture: SASE solutions are cloud-delivered, but vendors vary in the degree of “cloud nativeness” of their ar­chitecture. Legacy appliance and virtual appliance architectures need to be broken down into smaller, scalable components. The use of public cloud IaaS for points of presence (PoPs) versus owning PoPs is a difference among SASE provi­ders that may impact adoption for some regions. Every enterprise has different requirements for compliance, and has privacy requirements for the inspection of data, storage of logs and routing of traffic. Geographic dispersion and the number of enforcement points will also impact the ability of an SASE provider to commit to availability and latency service-level agreements.
  • Sensitive-data visibility and control: This is a high-priority capability, but one of the most difficult problems for SASE vendors to address. Of the vendo­rs converging on the SASE opportunity, cloud access security broker (CASB) providers have the most experience in dealing with sensitive data visibility and control. Even then, gaps remain. In the case of on-premises data stores and sensitive data stored at end points, sending data to a third party for sensitive-data id­entification is not a sustainable or cost-effective option. This capability must be delivered natively by the SASE off­ering, and provide options for the inspection of sensitive data.
  • SASE security services maturity: For the next several years, SASE capabilities will vary widely. Enterprises need to prioritise their needs for converged capabilities versus the need for continued best-of-breed capabilities until the gaps are closed. Some vendors are offering SASE to fill gaps with partnerships, but daisy chaining of services and/or network function virtualisation to deliver this is not a sustainable long-term op­tion. Partner­ships are tenuous as markets merge and former partners begin competing directly.
  • Limited number of comprehensive SASE offerings: At the start of 2021, less than 10 SASE offerings provided all of the core capabilities. Over the next five ye­ars, acquisitions and further market con­solidation will address these gaps. As an interim step, converged security vendors that avoid the direct requirements of SD-WAN are being pressured by customers to address branch office access needs. They could provide a subset of SD-WAN capabilities, such as bandwidth prioritisation and content inspection.

Roadmap for SASE adoption

Security and risk management leaders res-ponsible for infrastructure security should develop a roadmap for the adoption of SASE capabilities and offerings. This roadmap comprises key steps that need to be taken in the short as well as the long term. The key short-term recommendations include:

  • Deployment of zero trust network access (ZTNA) to augment or replace the legacy virtual private network (VPN) for remote users, especially for high-risk use cases.
  • Inventory equipment and contracts to implement a multi-year phase-out of on-premises perimeter and branch hardware in favour of cloud-based delivery of SASE capabilities.
  • Consolidation of vendors and reduction of costs and complexity as contracts re­new for secure web gateways, CASBs and VPN. A converged market that com­bines these security edge services must be leveraged.
  • Actively engage with initiatives for bran­ch office transformation and MPLS off­load in order to integrate cloud-based se­curity edge services into the scope of project planning.

Meanwhile, the long-term recommendations are:

  • Consolidate SASE offerings to a single vendor or two explicitly partnered vendors.
  • Implement ZTNA for all users regardless of location, including in the office or in the branch.
  • Choose SASE offerings that allow control of where inspection takes place, how traffic is routed, what is logged, and wh­e­re logs are stored to meet privacy and compliance requirements.
  • Create a dedicated team of security and networking experts with a shared responsibility for secure access engineering sp­an­ning on-premises, remote workers, branch offices and edge locations.s

Based on a research paper by Gartner